Broadly speaking, an information security program is a set of activities and initiatives that support a company’s information technology while protecting the security of business data and enabling the company to accomplish its business objectives. An information security program safeguards the proprietary information of the business and its customers.
The Gramm-Leach-Bliley Act (GLBA) has a more specific definition of what a security information program should entail. If your organization is subject to GLBA compliance, it will need to create an information security program that includes administrative, technical, and physical safeguards relevant to the size of your organization and the sensitivity of the customer information you handle.
Other regulations, like HIPAA and the New York Department of Financial Services Cybersecurity regulation, highlight the centrality of risk assessments to information security programs.
In this guide, we’ll outline more about the information security program lifecycle, how to create an information security program, and provide a template you can use to get started.
The information security program lifecycle
There are many ways to structure your information security program, but one useful framework is to use the Department of Defense’s Information Security Program lifecycle. This lifecycle outlines an effective way to classify, protect, share, and discard proprietary, sensitive, and regulated information. The steps in the DoD information security lifecycle include the following.
- Classification: determine which information requires protection against unauthorized disclosure and is marked to indicate its classified status.
- Safeguarding: implement prescribed measures and controls to protect classified information.
- Dissemination: create secure ways to share or transmit classified information to those authorized to have access.
- Declassification: authorize a change in status of information from classified to unclassified.
- Destruction: literally destroying classified information so that it can’t be recognized or reconstructed.
The DoD lifecycle can easily be translated into a business context. For instance, rather than classifying information, a business’s IT team would identify intellectual property, PHI, PII, or NPI that requires protection. Essentially, the lifecycle involves the process of identifying information, assessing the level of protection it needs, securing systems and records through multilayered protocols and tools, and monitoring the information for any data breaches or unauthorized access.
How to create an infosec plan
Approaching information security can be a mammoth task. As such, creating an infosec plan can help guide your team in implementing the right protocols and compliance mechanisms.
Start with a regulatory review. This review should consider the compliance standards to which your company may be subject. Compile a list of all the different regulations — GDPR, GLBA, HIPAA, and PCI DSS, for instance — that your business needs to meet.
Next, take inventory of your assets. Where does information live in your organization? Create a list of all the hardware, software and cloud programs your company uses, as well as the safeguards and controls that you already have in place.
Following the information security program lifecycle, the next phase is to classify your data. Understand the different levels of sensitivity that apply to the data your organization uses. This understanding will help you decide who should have access, how data should be stored, and what transfer mechanisms can be used to share information inside and outside the organization.
Then, perform a series of assessments. The first assessment will evaluate your existing safeguards. What policies and procedures are currently in place, and are these measures working? Pen testing and vulnerability testing can help in this phase. You may also want to perform a full risk assessment to get a complete picture of the company’s operations, functions, image, reputation, and assets. After this assessment, do a third-party assessment to see if any critical vendors are introducing other elements of risk into your system.
Finally, train your employees on information security best practices.
[Read more: The Security Playbook for Remote-first Organizations]
Information security program template
If your compliance standards demand a written information security program, you might be able to use the template outlined below. Consider using these sections in your information security program.
- Terms and definitions
- Roles and responsibilities
- Security program - detail the company’s infosec goals including business continuity planning, risk management, audit and assessment, privacy, etc.
- Security components:
- Risk management
- Asset management
- Human resources security
- Physical security
- Access control
- Incident management
- Information systems acquisition, maintenance
- Business continuity
Include specific tools and practices that you will use throughout this plan: such as multifactor authentication, password management tools, and cloud DLP. For an overview of these tools as well as critical security processes, check out our Security Playbook for Remote-first Organizations. In that guide, we illustrate how remote teams of any size can build a robust security program using NIST SP 800.
Nightfall’s cloud DLP uses machine learning to scan data with over 150 machine learning-based detectors, flagging instances when sensitive information is shared in potentially unsafe ways in platforms like Slack, GitHub, and Google Drive. Nightfall also offers the tools to quickly remediate security issues by notifying admins and quarantining or deleting data.
Learn more about adding Nightfall to your information security program by setting up a demo at the link below.